[strongSwan] Issues with getting traffic over the VPN without NAT
jmccourt at us.ibm.com
Wed Jul 31 14:41:25 CEST 2013
I've been struggling with this setup for quite some time now, and I'm
hoping it is quite simple.
I have access to the Strongswan side of the VPN, the other side is a cisco
ASA 5520 (or something bigger).
Unfortunately, my access to the Strongswan side is via VNC to a unix
console in what I feel is one of the worst virtual infrastructure providers
So here are the details, and I'm hoping that even being vague without
everybit of data, someone will have come across this in the past.
There are 4 subnets that I want to bring over the VPN
I only have one interface on the VPN host (eth0) the service provider
doesn't allow any others
I am able to get traffic from the right side, to the destination host, but
only when I use a NAT rule in IPTABLES
iptables -tnat -APOSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
When I take the NAT statments out.. (and this VPN host isn't doing anything
else, so When I flush the NAT table.) It stops working.
I run tcpdumps on this host, and I see the VPN traffic, Let's say a PING
from 192.168.202.100 -> 10.7.0.28. But running wireshark on 10.7.0.28
doesn't see anything until I add the NAT rule back in.
The ultimate goal is to create a Tunnel that will allow and establish based
on bi-directional traffic..
Also, since this host is not the defaultgateway on the 10.7.0.x segment I
was planning on using network routes for the 4 subnets, via this host,
10.7.0.10 to ensure symmetric routing.
Any help would be greatly appreciated..I've been at this for quite some
Also ip_forwarding is enabled.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users